Foster City Ransomware Attack: When Government Silence Becomes the Real Emergency

A cyberattack has held a California city hostage for over a week. But the bigger crisis may be the government’s failure to answer to the people it serves.

A City Held Hostage — And a Council That Wouldn’t Speak

On the evening of Monday, March 24, 2026, the Foster City Council gathered for a special session with no Zoom link, no online access, and a room full of anxious residents expecting answers. What they got instead was silence.

When the council voted to declare a state of emergency — a consequence of a ransomware attack that had paralyzed nearly every city system since March 19 — not a single elected official opened their mouth to explain what had happened, what was at risk, or what they planned to do about it. The vote passed. The meeting ended. The 33,000 people who call Foster City home walked out knowing little more than they did when they walked in.

That silence is not just bad politics. It is a betrayal of the basic covenant between government and citizen — the fundamental promise that the people in power will be accountable to the people who put them there.

What Actually Happened

The facts, as best they can be determined given the city’s tight-lipped response, are these: In the early hours of Thursday, March 19, Foster City’s Information Technology staff identified ransomware on the city’s networks. Most city computer systems were taken offline almost immediately. Public services outside of emergency responses were suspended. The city’s email and phones stopped working. And according to reporting by CBS News Bay Area, that situation continued for days with no public timeline for restoration.

The city’s official press release, issued the same day as the attack, stated: “It is possible that public information has been accessed in the breach, but that remains uncertain at this time.” Out of an “abundance of caution,” residents who had ever done business with the city were advised to change their passwords and monitor their personal data.

That single paragraph is the extent of what 33,000 residents have been officially told about the potential exposure of their most sensitive personal information — including, according to cybersecurity experts familiar with the attack vector, possibly their Social Security numbers.

Police and 911 services remained operational throughout — a fact worth acknowledging. But for a city government to have its entire digital infrastructure held ransom by what experts believe are organized criminal groups operating overseas, and to respond to its own citizens with vague, minimalist statements, is simply not good enough.

The Cost of Neglected Accountability

This is not just a Foster City problem. It is a growing national crisis — and one that local governments have consistently failed to address with the seriousness it demands.

According to the cybersecurity research firm Sophos, the average cost to recover from a ransomware attack in 2025 — not counting any ransom payment — was $1.53 million. The city of Atlanta famously spent more than $17 million recovering from a single ransomware incident in 2018. Baltimore spent over $18 million after refusing to pay a $76,000 ransom demand. Hamilton, Ontario, triggered an $18.5 million cyber insurance payout after a 2024 attack.

These are taxpayer dollars. Real money. Money that could fund road repairs, public safety programs, parks, and schools — diverted instead to recover from attacks that, in many cases, were preventable with basic cybersecurity infrastructure.

Cybersecurity expert Jonathan Trull, Chief Information Security Officer of Qualis — which happens to be based in Foster City — put it plainly at the RSAC Conference in San Francisco this week, where more than 40,000 professionals had gathered while the attack unfolded just 20 miles away: “Municipalities are underfunded at times. They are part of critical infrastructure, but they don’t always have the talent and the money to defend against such sophisticated attacks.”

He is right. But underfunding is a choice. And it is a choice that elected officials make — or fail to make — year after year when they approve city budgets without prioritizing digital infrastructure. Fiscal accountability does not stop at the potholes. It extends to whether the city’s IT systems are fortified enough to protect the private data of every resident who has ever paid a water bill, applied for a permit, or called a city department.

Government Owes Citizens Transparency, Not Damage Control

There is a well-worn pattern in government crisis management: say as little as possible, wait for the news cycle to pass, and hope the public moves on. It is a strategy rooted in institutional self-preservation rather than civic duty.

As one Foster City resident posted publicly in the days following the attack: “The city has kind of been keeping us in the dark. I mean, we don’t know anything.”

That resident is not wrong. And no amount of press release boilerplate changes that reality.

Damon Small, a board member at cybersecurity firm Xcape, Inc., described the situation with stark clarity: “When a city manager has to declare a state of emergency because of a line of ransomware code, your ‘digital transformation’ hasn’t made you more efficient. It’s just made you more fragile.”

He is describing more than a technical failure. He is describing a failure of governance — of the responsibility that comes with holding public office and managing public systems. Citizens have a right to know, in plain language, whether their Social Security numbers were stolen. They have a right to know what systems failed, who is responsible for those failures, and what concrete steps are being taken to ensure this does not happen again.

A council that votes in silence and a city manager whose office deflects press inquiries is not protecting its citizens. It is protecting itself.

The Conservative Case for Digital Accountability

This is precisely where conservative principles matter most. Limited government does not mean invisible government. It means efficient, accountable, and transparent government — one that stays in its lane but executes its core responsibilities with excellence. Maintaining the security of citizen data is one of the most fundamental responsibilities a local government has. It is not optional. It is not a budget line item to be trimmed when times are tight.

Parental rights and personal responsibility begin with the assumption that individuals can make informed decisions about their own lives. But when a government fails to protect — or even disclose the exposure of — the personal data of its residents, it strips away that agency entirely. A parent cannot protect their family from identity theft if the city refuses to tell them their information may have been compromised.

Law and order does not only apply to crime on the streets. It applies to whether the institutions entrusted with public authority are following the rule of law — including sunshine laws, public record requirements, and the basic democratic obligation to answer to the people. A government that stonewalls its own residents is not governing. It is hiding.

And the traditional value of community trust — the glue that holds a neighborhood, a city, a nation together — cannot survive repeated episodes of institutional silence in the face of crisis. Trust is not demanded. It is earned. Foster City’s leadership had an opportunity to earn it this week. Instead, they voted in silence and went home.

What Comes Next — And What Must Change

Recovery from a ransomware attack of this scale typically takes three to six weeks, according to cybersecurity experts. The financial cost will likely run into the millions. The reputational cost — the erosion of public confidence in local government — is harder to quantify but no less real.

Jacob Krell of Suzu Labs said it plainly: “Every municipality of comparable size that has not tested its backup infrastructure against adversarial conditions is carrying the same risk. The only variable is timing.”

That is a warning every city council in America should print out and tape to the wall. This will happen again — to another city, perhaps yours — unless elected officials take cybersecurity seriously as a line item, a priority, and a matter of basic public trust.

A Call to Action: Demand Better

If you live in Foster City, attend the next public meeting and demand a full, transparent accounting of what data was accessed, what it is costing taxpayers, and what specific steps the city is taking to prevent this from happening again. Silence from your representatives is not an acceptable answer.

If you live anywhere else, contact your city council and ask a simple question: Has our city conducted a cybersecurity audit in the last 12 months? Are our backup systems tested against ransomware attacks? If your representative cannot answer that question, you already know there is work to be done.

Stay informed. Get involved. Share this article. Because in a healthy democracy, the antidote to institutional silence is an engaged and vocal citizenry — and that starts with you.

Sources: Foster City official press release (March 19, 2026); GovTech; ABC7/KGO; Security Magazine; Sophos 2025 State of Ransomware Report; Varonis Ransomware Statistics 2026; RSAC Conference reporting, March 25, 2026.